The SslStreamFactory uses SslStreamSettings to enable TLS1.2, 1.1, and 1.0 by default:

_enabledSslProtocols = enabledProtocols.WithDefault(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls);

It notably does not enable TLS1.3 support because TLS1.3 support was added in .NET 5. (It is available in netcoreapp3.1 but not netstandard2.1.) We need to add support for .NET 5 and enable TLS1.3 by default. We should also remove support for TLS1.0 and 1.1 by default as they have known vulnerabilities. This will be done in CSHARP-5263 as it is a breaking change.

Another possibility is to use SslProtocols.None, which allows the operating system to choose the best protocol to use and to block protocols that are not secure. Microsoft recommends this setting unless your app has a specific reason not to. We should consider the pros and cons of explicitly enabling protocols versus deferring to the operating system.

For current users of the driver, they can opt into TLS1.3 via:

const string MONGODB_URI = "<<YOUR CONNECTION STRING>>";
var settings = MongoClientSettings.FromConnectionString(MONGODB_URI);
settings.SslSettings.EnabledSslProtocols = SslProtocols.Tls13;
var client = new MongoClient(settings);